VictoriaMetrics · AndrewChubatiuk · Nov 25, 2024 · Nov 23, 2024
@@ -9,7 +9,7 @@
 ![AppVersion: v1.106.1](https://img.shields.io/static/v1?label=AppVersion&message=v1.106.1&color=success&logo=)
 ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm)
 
-**Update note**: This release contains breaking changes. please follow [upgrade guide](../#upgrade-to-050)
+**Update note**: This release contains breaking changes. please follow [upgrade guide](./#upgrade-to-050)
 
 - set default DNS domain to `cluster.local.`
 - added `.Values.zoneTpl` to define a default configuration for each `.Values.availabilityZones`

@@ -1,8 +1,11 @@
 ## Next release
 
+**Update note**: This release contains breaking changes. please follow [upgrade guide](./#upgrade-to-0290)
+
 - fixed ability to override CR names using `<component>.name`. See [this issue](https://github.com/VictoriaMetrics/helm-charts/issues/1778)
 - updated common dependency 0.0.28 -> 0.0.29
 - bump operator chart version to 0.38.0
+- replaced all `<component>.vmauth` params to `vmauth.spec` to provide more flexibility in vmauth configuration. See [this issue](https://github.com/VictoriaMetrics/helm-charts/issues/1793)
 
 ## 0.28.4
 

@@ -348,6 +348,44 @@ $ helm show crds vm/victoria-metrics-k8s-stack --version [YOUR_CHART_VERSION] |
 
 All other manual actions upgrades listed below:
 
+### Upgrade to 0.29.0
+
+To provide more flexibility for VMAuth configuration all `<component>.vmauth` params were moved to `vmauth.spec`.
+Also `.vm.write` and `.vm.read` variables are available in `vmauth.spec`, which represent `vmsingle`, `vminsert`, `externalVM.write` and `vmsingle`, `vmselect`, `externalVM.read` parsed URLs respectively.
+
+If your configuration in version < 0.29.0 looked like below:
+
+```
+vmcluster:
+  vmauth:
+    vmselect:
+      - src_paths:
+          - /select/.*
+        url_prefix:
+          - /
+    vminsert:
+      - src_paths:
+          - /insert/.*
+        url_prefix:
+          - /
+```
+
+In 0.29.0 it should look like:
+
+```
+vmauth:
+  spec:
+    unauthorizedAccessConfig:
+      - src_paths:
+          - '{{ .vm.read.path }}/.*'
+        url_prefix:
+          - '{{ urlJoin (omit .vm.read "path") }}/'
+      - src_paths:
+          - '{{ .vm.write.path }}/.*'
+        url_prefix:
+          - '{{ urlJoin (omit .vm.write "path") }}/'
+```
+
 ### Upgrade to 0.13.0
 
 - node-exporter starting from version 4.0.0 is using the Kubernetes recommended labels. Therefore you have to delete the daemonset before you upgrade.
@@ -1249,43 +1287,12 @@ vmsingle:
       <td><pre class="helm-vars-default-value" language-yaml" lang="plaintext">
 <code class="language-yaml">read:
     url: ""
-vmauth:
-    read:
-        - src_paths:
-            - /select/.*
-          url_prefix:
-            - /
-    write:
-        - src_paths:
-            - /insert/.*
-          url_prefix:
-            - /
 write:
     url: ""
 </code>
 </pre>
 </td>
       <td><p>External VM read and write URLs</p>
-</td>
-    </tr>
-    <tr>
-      <td>externalVM.vmauth</td>
-      <td>object</td>
-      <td><pre class="helm-vars-default-value" language-yaml" lang="plaintext">
-<code class="language-yaml">read:
-    - src_paths:
-        - /select/.*
-      url_prefix:
-        - /
-write:
-    - src_paths:
-        - /insert/.*
-      url_prefix:
-        - /
-</code>
-</pre>
-</td>
-      <td><p>Custom VMAuth config, url_prefix requires only path, which will be appended to a read and write base URL. To disable auth for read or write empty list for component config <code>externalVM.vmauth.&lt;component&gt;: []</code></p>
 </td>
     </tr>
     <tr>
@@ -2408,10 +2415,15 @@ selectAllByDefault: true
       <td><pre class="helm-vars-default-value" language-yaml" lang="plaintext">
 <code class="language-yaml">discover_backend_ips: true
 port: "8427"
+unauthorizedAccessConfig:
+    - src_paths:
+        - '{{ .vm.read.path }}/.*'
+      url_prefix:
+        - '{{ urlJoin (omit .vm.read "path") }}/'
 </code>
 </pre>
 </td>
-      <td><p>Full spec for VMAuth CRD. Allowed values described <a href="https://docs.victoriametrics.com/operator/api#vmauthspec" target="_blank">here</a></p>
+      <td><p>Full spec for VMAuth CRD. Allowed values described <a href="https://docs.victoriametrics.com/operator/api#vmauthspec" target="_blank">here</a> It&rsquo;s possible to use given below predefined variables in spec: * <code>{{ .vm.read }}</code> - parsed vmselect, vmsingle or externalVM.read URL * <code>{{ .vm.write }}</code> - parsed vminsert, vmsingle or externalVM.write URL</p>
 </td>
     </tr>
     <tr>
@@ -2781,26 +2793,6 @@ vmstorage:
 </pre>
 </td>
       <td><p>Data retention period. Possible units character: h(ours), d(ays), w(eeks), y(ears), if no unit character specified - month. The minimum retention period is 24h. See these <a href="https://docs.victoriametrics.com/single-server-victoriametrics/#retention" target="_blank">docs</a></p>
-</td>
-    </tr>
-    <tr>
-      <td>vmcluster.vmauth</td>
-      <td>object</td>
-      <td><pre class="helm-vars-default-value" language-yaml" lang="plaintext">
-<code class="language-yaml">vminsert:
-    - src_paths:
-        - /insert/.*
-      url_prefix:
-        - /
-vmselect:
-    - src_paths:
-        - /select/.*
-      url_prefix:
-        - /
-</code>
-</pre>
-</td>
-      <td><p>Custom VMAuth config, url_prefix requires only path, which will be appended to a select and insert base URL. To disable auth for vmselect or vminsert empty list for component config <code>vmcluster.vmauth.&lt;component&gt;: []</code></p>
 </td>
     </tr>
     <tr>

@@ -265,6 +265,43 @@ $ helm show crds vm/victoria-metrics-k8s-stack --version [YOUR_CHART_VERSION] |
 
 All other manual actions upgrades listed below:
 
+### Upgrade to 0.29.0
+
+To provide more flexibility for VMAuth configuration all `<component>.vmauth` params were moved to `vmauth.spec`.
+Also `.vm.write` and `.vm.read` variables are available in `vmauth.spec`, which represent `vmsingle`, `vminsert`, `externalVM.write` and `vmsingle`, `vmselect`, `externalVM.read` parsed URLs respectively.
+
+If your configuration in version < 0.29.0 looked like below:
+
+```
+vmcluster:
+  vmauth:
+    vmselect:
+      - src_paths:
+          - /select/.*
+        url_prefix:
+          - /
+    vminsert:
+      - src_paths:
+          - /insert/.*
+        url_prefix:
+          - /
+```
+
+In 0.29.0 it should look like:
+
+```
+vmauth:
+  spec:
+    unauthorizedAccessConfig:
+      - src_paths:
+          - '{{"{{"}} .vm.read.path {{"}}"}}/.*'
+        url_prefix:
+          - '{{"{{"}} urlJoin (omit .vm.read "path") {{"}}"}}/'
+      - src_paths:
+          - '{{"{{"}} .vm.write.path {{"}}"}}/.*'
+        url_prefix:
+          - '{{"{{"}} urlJoin (omit .vm.write "path") {{"}}"}}/'
+```
 
 ### Upgrade to 0.13.0
 

@@ -29,11 +29,7 @@
     {{- $baseURL := include "vm.url" . -}}
     {{- $_ := set $endpoint "url" (printf "%s/api/v1/write" $baseURL) -}}
   {{- else if $Values.vmcluster.enabled -}}
-    {{- if $Values.vmauth.enabled -}}
-      {{- $_ := set . "appKey" (list "vmauth" "spec") -}}
-    {{- else -}}
-      {{- $_ := set . "appKey" (list "vmcluster" "spec" "vminsert") -}}
-    {{- end -}}
+    {{- $_ := set . "appKey" (list "vmcluster" "spec" "vminsert") -}}
     {{- $baseURL := include "vm.url" . -}}
     {{- $tenant := $Values.tenant | default 0 -}}
     {{- $_ := set $endpoint "url" (printf "%s/insert/%d/prometheus/api/v1/write" $baseURL (int $tenant)) -}}
@@ -160,67 +156,29 @@
 {{- /* VMAuth spec */ -}}
 {{- define "vm.auth.spec" -}}
   {{- $Values := (.helm).Values | default .Values }}
-  {{- $unauthorizedAccessConfig := default list }}
   {{- $_ := set . "style" "managed" -}}
   {{- if $Values.vmsingle.enabled -}}
     {{- $_ := set . "appKey" (list "vmsingle" "spec") -}}
-    {{- $url := include "vm.url" . }}
-    {{- $srcPath := clean (printf "%s/.*" (urlParse $url).path) }}
-    {{- $unauthorizedAccessConfig = append $unauthorizedAccessConfig (dict "src_paths" (list $srcPath) "url_prefix" (list $url)) }}
+    {{- $url := urlParse (include "vm.url" .) -}}
+    {{- $_ := set . "vm" (dict "read" $url "write" $url) }}
   {{- else if $Values.vmcluster.enabled -}}
-    {{- $authConfig := ($Values.vmcluster).vmauth }}
     {{- $_ := set . "appKey" (list "vmcluster" "spec" "vminsert") -}}
-    {{- $writeAuths := $authConfig.vminsert }}
-    {{- $writeUrl := include "vm.url" . }}
-    {{- range $writeAuth := $writeAuths }}
-      {{- $urls := default list }}
-      {{- range $prefix := $writeAuth.url_prefix }}
-        {{- $urls = append $urls (printf "%s%s" (trimSuffix (urlParse $writeUrl).path $writeUrl) $prefix) }}
-      {{- end }}
-      {{- $_ := set $writeAuth "url_prefix" $urls}}
-      {{- $unauthorizedAccessConfig = append $unauthorizedAccessConfig $writeAuth -}}
-    {{- end }}
+    {{- $writeURL := urlParse (include "vm.url" .) -}}
+    {{- $_ := set $writeURL "path" (printf "%s/insert" $writeURL.path) -}}
     {{- $_ := set . "appKey" (list "vmcluster" "spec" "vmselect") -}}
-    {{- $readAuths := $authConfig.vmselect }}
-    {{- $readUrl := include "vm.url" . }}
-    {{- range $readAuth := $readAuths }}
-      {{- $urls := default list }}
-      {{- range $prefix := $readAuth.url_prefix }}
-        {{- $urls = append $urls (printf "%s%s" (trimSuffix (urlParse $readUrl).path $readUrl) $prefix) }}
-      {{- end }}
-      {{- $_ := set $readAuth "url_prefix" $urls}}
-      {{- $unauthorizedAccessConfig = append $unauthorizedAccessConfig $readAuth -}}
-    {{- end -}}
-  {{- else if or $Values.externalVM.read.url $Values.externalVM.write.url }}
-    {{- with $Values.externalVM.read.url }}
-      {{- $authConfig := ($Values.externalVM).vmauth }}
-      {{- $readAuths := $authConfig.read }}
-      {{- $readUrl := . }}
-      {{- range $readAuth := $readAuths }}
-        {{- $urls := default list }}
-        {{- range $prefix := $readAuth.url_prefix }}
-          {{- $urls = append $urls (printf "%s%s" (trimSuffix (urlParse $readUrl).path $readUrl) $prefix) }}
-        {{- end }}
-        {{- $_ := set $readAuth "url_prefix" $urls}}
-        {{- $unauthorizedAccessConfig = append $unauthorizedAccessConfig $readAuth -}}
-      {{- end -}}
+    {{- $readURL := urlParse (include "vm.url" .) -}}
+    {{- $_ := set $readURL "path" (printf "%s/select" $readURL.path) -}}
+    {{- $_ := set . "vm" (dict "read" $readURL "write" $writeURL) -}}
+  {{- else if or $Values.externalVM.read.url $Values.externalVM.write.url -}}
+    {{- $_ := set . "vm" (default dict) -}}
+    {{- with $Values.externalVM.read.url -}}
+      {{- $_ := set $.vm "read" (urlParse .) -}}
     {{- end -}}
-    {{- with $Values.externalVM.write.url }}
-      {{- $authConfig := ($Values.externalVM).vmauth }}
-      {{- $writeAuths := $authConfig.write }}
-      {{- $writeUrl := . }}
-      {{- range $writeAuth := $writeAuths }}
-        {{- $urls := default list }}
-        {{- range $prefix := $writeAuth.url_prefix }}
-          {{- $urls = append $urls (printf "%s%s" (trimSuffix (urlParse $writeUrl).path $writeUrl) $prefix) }}
-        {{- end }}
-        {{- $_ := set $writeAuth "url_prefix" $urls}}
-        {{- $unauthorizedAccessConfig = append $unauthorizedAccessConfig $writeAuth -}}
-      {{- end -}}
+    {{- with $Values.externalVM.write.url -}}
+      {{- $_ := set $.vm "write" (urlParse .) -}}
     {{- end -}}
   {{- end -}}
   {{- $spec := $Values.vmauth.spec }}
-  {{- $_ := set $spec "unauthorizedAccessConfig" (concat $unauthorizedAccessConfig ($spec.unauthorizedAccessConfig | default list)) }}
   {{- with (include "vm.license.global" .) -}}
     {{- $_ := set $spec "license" (fromYaml .) -}}
   {{- end -}}
@@ -319,7 +277,7 @@
   {{- $ctx := . }}
   {{- $Values := (.helm).Values | default .Values }}
   {{- $datasources := $Values.defaultDatasources.extra | default list -}}
-  {{- if or $Values.vmsingle.enabled $Values.vmcluster.enabled -}}
+  {{- if or $Values.vmsingle.enabled $Values.vmcluster.enabled $Values.externalVM.read -}}
     {{- $readEndpoint:= include "vm.read.endpoint" $ctx | fromYaml -}}
     {{- $defaultDatasources := default list -}}
     {{- range $ds := $Values.defaultDatasources.victoriametrics.datasources }}

@@ -239,19 +239,6 @@ additionalVictoriaMetricsMap:
 
 # -- External VM read and write URLs
 externalVM:
-  # -- Custom VMAuth config, url_prefix requires only path, which will be appended to a read and write base URL.
-  # To disable auth for read or write empty list for component config `externalVM.vmauth.<component>: []`
-  vmauth:
-    read:
-      - src_paths:
-          - /select/.*
-        url_prefix:
-          - /
-    write:
-      - src_paths:
-          - /insert/.*
-        url_prefix:
-          - /
   read:
     url: ""
     # bearerTokenSecret:
@@ -323,19 +310,6 @@ vmcluster:
   enabled: false
   # -- VMCluster annotations
   annotations: {}
-  # -- Custom VMAuth config, url_prefix requires only path, which will be appended to a select and insert base URL.
-  # To disable auth for vmselect or vminsert empty list for component config `vmcluster.vmauth.<component>: []`
-  vmauth:
-    vmselect:
-      - src_paths:
-          - /select/.*
-        url_prefix:
-          - /
-    vminsert:
-      - src_paths:
-          - /insert/.*
-        url_prefix:
-          - /
   # -- Full spec for VMCluster CRD. Allowed values described [here](https://docs.victoriametrics.com/operator/api#vmclusterspec)
   spec:
     # -- Data retention period. Possible units character: h(ours), d(ays), w(eeks), y(ears), if no unit character specified - month. The minimum retention period is 24h. See these [docs](https://docs.victoriametrics.com/single-server-victoriametrics/#retention)
@@ -746,9 +720,17 @@ vmauth:
   # -- VMAuth annotations
   annotations: {}
   # -- (object) Full spec for VMAuth CRD. Allowed values described [here](https://docs.victoriametrics.com/operator/api#vmauthspec)
+  # It's possible to use given below predefined variables in spec:
+  # * `{{ .vm.read }}` - parsed vmselect, vmsingle or externalVM.read URL
+  # * `{{ .vm.write }}` - parsed vminsert, vmsingle or externalVM.write URL
   spec:
     discover_backend_ips: true
     port: "8427"
+    unauthorizedAccessConfig:
+      - src_paths:
+          - '{{ .vm.read.path }}/.*'
+        url_prefix:
+          - '{{ urlJoin (omit .vm.read "path") }}/'
 
 vmagent:
   # -- Create VMAgent CR